From 9ae21d64d534eb64bd070bc7b58a960ed582730a Mon Sep 17 00:00:00 2001 From: marioqxx Date: Sun, 14 May 2023 14:29:13 +0200 Subject: [PATCH 1/4] Workaround to user_saml-application to return lower-case realm when configured through environment-variable. Signed-off-by: marioqxx --- roles/install_nextcloud/README.md | 14 +++++++++++- roles/install_nextcloud/defaults/main.yml | 1 + roles/install_nextcloud/tasks/main.yml | 26 +++++++++++++++++++++++ 3 files changed, 40 insertions(+), 1 deletion(-) diff --git a/roles/install_nextcloud/README.md b/roles/install_nextcloud/README.md index 0de679be..448127f4 100644 --- a/roles/install_nextcloud/README.md +++ b/roles/install_nextcloud/README.md @@ -562,6 +562,18 @@ The name may not be canon some times. (like **appName-x.y.z** instead of **appNa Changing a parameter, then running the role again while the app is already enabled will **not** update its configuration. - this post_install process is tagged and can be called directly using the `--tags install_apps` option. +#### Patch **user_saml** Application + +When `user_saml` Application is configured via Environment-variable the returned principal contains an upper-case realm. This is e.g. undesirable when the user backend stores the principals with realm in lower-case. +This patch adds a workaround to `SAMLController.php`, which converts the realm to lower-case. To activate this patch, you also need to `user_saml` application defined in `nextcloud_apps`. +```yaml +nextcloud_apps: + user_saml: +nextcloud_patch_user_saml_app: true +``` +This patch is a modified version of the workaround proposed [here](https://github.com/nextcloud/user_saml/issues/118). +Note: When `user_saml` application is updated, this patch will be overwritten. In this case you may re-apply the patch by calling directly using the `--tags patch_user_saml_app` option. + ## Example Playbook ### Case 1: Installing a quick Nextcloud demo In some case, you may want to deploy quickly many instances of Nextcloud on multiple hosts for testing/demo purpose and don't want to tune the role's variables for each hosts: Just run the playbook without any additional variable (all default) ! @@ -592,7 +604,7 @@ You can choose the version channel to download a specific version of nextcloud. ### Case 2: Using letsencrypt with this role. This role is not designed to manage letsencrypt certificates. However you can still use your certificates with nextcloud. -You must create first your certificates using a letsencrypt ACME client or an Ansible role like [this one] (https://github.com/jaywink/ansible-letsencrypt) +You must create first your certificates using a letsencrypt ACME client or an Ansible role like [this one](https://github.com/jaywink/ansible-letsencrypt) then call _install_nextcloud_ by setting `nextcloud_tls_cert_method: "installed"` diff --git a/roles/install_nextcloud/defaults/main.yml b/roles/install_nextcloud/defaults/main.yml index a7f312f8..945f6363 100644 --- a/roles/install_nextcloud/defaults/main.yml +++ b/roles/install_nextcloud/defaults/main.yml @@ -118,6 +118,7 @@ nextcloud_tls_session_cache_size: 50m # in Byte or human readable size notation # [APPS] nextcloud_apps: {} nextcloud_disable_apps: [] +nextcloud_patch_user_saml_app: false # Apply Workaround to lower-case REALM for REMOTE_USER environment-variable. # [SYSTEM] # nextcloud_mysql_root_pwd: "secret" diff --git a/roles/install_nextcloud/tasks/main.yml b/roles/install_nextcloud/tasks/main.yml index 67413b6c..ddc64e56 100644 --- a/roles/install_nextcloud/tasks/main.yml +++ b/roles/install_nextcloud/tasks/main.yml @@ -89,6 +89,7 @@ - nextcloud_apps is mapping tags: - install_apps + - patch_user_saml_app block: - name: "[NC apps] - lists the number of apps available in the instance." ansible.builtin.command: php occ app:list --output=json_pretty --no-warnings @@ -110,8 +111,10 @@ # do if the app is not enabled and ( (archive path is not "") or (app is disabled) ) when: - item.key not in nc_available_apps.enabled + - ansible_run_tags is not search('patch_user_saml_app') with_dict: "{{ nextcloud_apps }}" + - name: Add indices ansible.builtin.command: php occ db:add-missing-indices args: @@ -122,3 +125,26 @@ register: nc_indices_cmd changed_when: '"Done" not in nc_indices_cmd.stdout' when: nextcloud_install_db + +- name: "[Main] - Patch from the app 'user_saml' the file SAMLController.php." + when: + - nextcloud_patch_user_saml_app + - nc_available_apps.enabled['user_saml'] is defined or nc_available_apps.disabled['user_saml'] is defined + tags: + - patch_user_saml_app + vars: + pattern: '.*\$this->session->set\(.user_saml\.samlUserData.,\s+\$_SERVER\);.*' + file2patch: "{{ nextcloud_webroot + 'apps/user_saml/lib/Controller/SAMLController.php' }}" + block: + - name: "[Main] - Check if SAMLController.php can be patched." + ansible.builtin.slurp: + src: "{{ file2patch }}" + register: df_file + + - name: "[Main] - Patch file SAMController.php." + ansible.builtin.blockinfile: + block: "{{ lookup('ansible.builtin.file', 'files/SAMLController.patch') }}" + path: "{{ file2patch }}" + insertbefore: "{{ pattern }}" + marker: " /** {mark} ANSIBLE MANAGED BLOCK */" + when: df_file.content | b64decode | regex_search(pattern) From 0da87e64f3e006a4ff7437643a91dab91be969d0 Mon Sep 17 00:00:00 2001 From: marioqxx Date: Sun, 14 May 2023 14:31:17 +0200 Subject: [PATCH 2/4] Workaround to user_saml-application to return lower-case realm when configured through environment-variable. Signed-off-by: marioqxx --- roles/install_nextcloud/files/SAMLController.patch | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 roles/install_nextcloud/files/SAMLController.patch diff --git a/roles/install_nextcloud/files/SAMLController.patch b/roles/install_nextcloud/files/SAMLController.patch new file mode 100644 index 00000000..b75667fd --- /dev/null +++ b/roles/install_nextcloud/files/SAMLController.patch @@ -0,0 +1,3 @@ + if (isset($_SERVER['REMOTE_USER'])) { + $_SERVER['REMOTE_USER'] = strtolower($_SERVER['REMOTE_USER']); + } From 79cc9ffa5b0b0e9ebb7137879758e0d8df5dcc36 Mon Sep 17 00:00:00 2001 From: marioqxx Date: Sun, 14 May 2023 14:35:49 +0200 Subject: [PATCH 3/4] Workaround to user_saml-application to return lower-case realm when configured through environment-variable. Signed-off-by: marioqxx --- roles/install_nextcloud/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/install_nextcloud/README.md b/roles/install_nextcloud/README.md index 448127f4..f62c373e 100644 --- a/roles/install_nextcloud/README.md +++ b/roles/install_nextcloud/README.md @@ -564,8 +564,8 @@ Changing a parameter, then running the role again while the app is already enabl #### Patch **user_saml** Application -When `user_saml` Application is configured via Environment-variable the returned principal contains an upper-case realm. This is e.g. undesirable when the user backend stores the principals with realm in lower-case. -This patch adds a workaround to `SAMLController.php`, which converts the realm to lower-case. To activate this patch, you also need to `user_saml` application defined in `nextcloud_apps`. +When the `user_saml` application is configured using the environment-variable, the returned principal contains an upper-case realm. This is e.g. undesirable when the user backend stores the principals with realm in lower-case, because the case-sensitive lookup for the existing user would not find the existing user. +This patch adds a workaround to `SAMLController.php`, which converts the realm to lower-case. To activate this patch, you also need to define `user_saml` application in `nextcloud_apps`. ```yaml nextcloud_apps: user_saml: From 65d4e357fa74bcac5d1994edc8e1e5a0b4a73804 Mon Sep 17 00:00:00 2001 From: marioqxx Date: Sat, 27 May 2023 20:31:22 +0200 Subject: [PATCH 4/4] Updated README according staticdev's suggestion. Signed-off-by: marioqxx --- roles/install_nextcloud/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/install_nextcloud/README.md b/roles/install_nextcloud/README.md index ee5d2c44..7748757f 100644 --- a/roles/install_nextcloud/README.md +++ b/roles/install_nextcloud/README.md @@ -564,7 +564,7 @@ Changing a parameter, then running the role again while the app is already enabl #### Patch **user_saml** Application -When the `user_saml` application is configured using the environment-variable, the returned principal contains an upper-case realm. This is e.g. undesirable when the user backend stores the principals with realm in lower-case, because the case-sensitive lookup for the existing user would not find the existing user. +If you centrally administer your users and configure nextcloud to include users via LDAP as user-backend through e.g. `user_ldap` module and want to provide Single-sign-on, you may configure the `user_saml` application using the environment-variable `REMOTE_USER`. In this case, the returned principal contains an upper-case realm. This is undesirable when the user backend stores the principals with realm in lower-case, which is the case for `user_ldap`, because the case-sensitive lookup by `user_saml` module for the existing user would not find the existing user. A typical use-case is, when you run a Samba Domain Controller and manage your users centrally in the Domain and want to provide Single-Sign-On in Nextcloud. This patch adds a workaround to `SAMLController.php`, which converts the realm to lower-case. To activate this patch, you also need to define `user_saml` application in `nextcloud_apps`. ```yaml nextcloud_apps: @@ -572,7 +572,7 @@ nextcloud_apps: nextcloud_patch_user_saml_app: true ``` This patch is a modified version of the workaround proposed [here](https://github.com/nextcloud/user_saml/issues/118). -Note: When `user_saml` application is updated, this patch will be overwritten. In this case you may re-apply the patch by calling directly using the `--tags patch_user_saml_app` option. +Note: When `user_saml` application is updated, this patch will be overwritten. In this case you may re-apply the patch by calling directly using the `--tags patch_user_saml_app` option. The patch is implemented in a way, that it shall work even when `user_saml`-app (including the patched-file `SAMLController.php`) changes, i.e. it shall be robust against changes of the `user_saml`-app. By an educated guess it will work for future versions of `user_saml`, but in any case it would not change anything if the change to `SAMLController.php` would touch the sensitive code therein. ## Example Playbook ### Case 1: Installing a quick Nextcloud demo